Thursday, September 22, 2011

Adding Users in OpenLDAP

In this quick tutorial I will show how to add users to your directory.
I will be using two CentOS 5.5 x64 hosts for this presentation:
  • server - will be my test OpenLDAP server.
  • test - will be my test client host.
Before we begin I will assume OpenLDAP is already correctly installed on your system  (you can refer to this procedure, to learn more about primary OpenLDAP installation & configuration).

In this example my root dn is:"dc=example,dc=org"
And my admin user on the LDAP server is "cn=Manager,dc=example,dc=org"

OK, let's get our hands dirty:

Server side:
First, check that LDAP server is installed and running:
root@server# rpm -qa|grep -i ldap
root@server# lsof -i :389
slapd   20221 ldap    7u  IPv6 4349285       TCP *:ldap (LISTEN)
slapd   20221 ldap    8u  IPv4 4349286       TCP *:ldap (LISTEN)

Next, we will add a user and change it's password:
root@server# useradd -g ldap-users john
root@server# passwd john

Now, we will copy user's "john" data from /etc/passwd and use one of the migration scripts OpenLDAP provides in order to create an appropriate "ldif" file:

root@server# grep john /etc/passwd > /etc/openldap/passwd.john
root@server# /usr/share/openldap/migration/ /etc/openldap/passwd.john /etc/openldap/passwd.john.ldif

We will add the newly created "ldif" file into our LDAP DB:

root@server# ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f  /etc/openldap/passwd.john.ldif

Enter LDAP Password:  
adding new entry "uid=john,ou=People,dc=example,dc=org"

Let's try to search for john user in the LDAP DB:

root@server# ldapsearch -x -LLL '(uid=john)'
dn: uid=john,ou=People,dc=example,dc=org
uid: john
cn: john
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 15239
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/john

Seems to be working, now let's switch to the client.

Client side:
Check that your client is configured with the LDAP server:
Add the server and the domain inside: /etc/ldap/ldap.conf

uri ldap://
base dc=example,dc=org

Edit /etc/nsswitch.conf for LDAP authentication:

passwd: files ldap
shadow: files ldap
group: files ldap

It's time to test our configuration from the client side:
First check that john isn't listed in your /etc/passwd local  file:

root@test# grep john /etc/passwd

As we can see, no john here.
Now try to "id" john:

root@test# id john
uid=500(john) gid=500 groups=500

Just as we wanted.

No comments: